Category Archives: Security

First, let me say thank you to WP Beginner for their EPIC tutorials and guides to fixing/managing/improving/innovating in WordPress. Without resources like theirs, developers like me would be fumbling in the dark with trial and error solutions. 🙂

We were recently hired to clean up an old hacked WordPress website and prepare it for new development. Our normal protocol is to lock up WordPress vulnerabilities, namely that old “Leave a Reply” functionality that enables users to make comments on blog/news articles. Well, that’s almost always a no-no for about a decade now as it leads to URL injections, spam and worse, hacks.

WordPress 5.0 “broke” our sites. But not really…

Yes, after WordPress 5.0 Gutenberg was installed, we did find editing pages and posts rather challenging. The platform is amazing if you are launching a brand new website or blog. However, for those of us who have fully developed or fully cooked websites using an existing designed theme complete with plugins, widgets and more…. you found yourself Gutted. 🙂 LOL!

But have no fear.

One plugin. Fixes. It all.

We installed Disable Gutenberg.

LINK: https://wordpress.org/plugins/disable-gutenberg/

Jeff Starr, thank you!! YOU ROCK!! https://twitter.com/perishable

This plugin disables the new Gutenberg Editor (aka Block Editor) and replaces it with the Classic Editor. You can disable Gutenberg completely, or selectively disable for posts, pages, roles, post types, and theme templates. Plus you can hide the Gutenberg nag, menu item, and more!

MORE? READ BELOW!

How to install ‘Disable Gutenberg’

STEP 1: Go to Plugins and hit ADD NEW

STEP 2: Type in Disable Gutenberg in far right corner!

STEP 3: Navigate to the first choice !!! Like below! and hit INSTALL NOW!

STEP 4: Be patient and know you are so close to solution.

STEP 5: Hit ACTIVATE as soon as it appears!

STEP 6: Once you see the Plugin Activated … go back to your page or post and hit Refresh and you’ll see you are in business!

STEP 7: Get coffee, breath and know you’ve been saved by Jeff Starr and the WordPress open source community.

That’s it.

Seriously.

Feel free to read rest of page is if you are interested to know more.

MORE INFORMATION:

The all-in-one, COMPLETE solution for handling Gutenberg.
Hide ALL traces of Gutenberg and replace with the Classic Editor.
Restores the original Edit Post screen (TinyMCE, meta boxes, et al).

The Disable Gutenberg plugin restores the classic (original) WordPress editor and the “Edit Post” screen. So you can continue using plugins and theme functions that extend the Classic Editor. Supports awesome features like Meta Boxes, Quicktags, Custom Fields, and everything else the Classic Editor can do.

Does not “expire” in 2022!

Easy to Use

Just activate and done! The default plugin settings are configured to hide all traces of the Gutenberg Block Editor, and fully restore the original Classic Editor. Further options for customizing when/where Gutenberg is enabled are available in the plugin settings.

Options

Disable Gutenberg completely (all post types)

Disable Gutenberg for any post type

Disable Gutenberg for any user role

Disable Gutenberg for any theme template

Disable Gutenberg for any post/page IDs

Disable Gutenberg admin notice (nag)

Option to hide the plugin menu item

Option to hide the Gutenberg plugin menu item (settings link)

Adds “Classic Editor” link to each post on the Posts screen

Adds item to the WP sidebar menu: “Add New (Classic)”

NEW! Option to enable Custom Fields Meta Box for ACF

NEW! Choose which editor to use for each post

NEW! Whitelist any post title, slug, or ID

Works same way as Classic Editor plugin, but can do a LOT more!
Lightweight and super fast, built with the WP API

Disable Gutenberg is developed by Jeff Starr, 13-year WordPress developer, book author, and support guru.

Super light & fast plugin, super easy on server resources!

Why?

Gutenberg is a useful editor but sometimes you want to disable it for specific posts, pages, user roles, post types, or theme templates. Disable Gutenberg enables you to disable Gutenberg and replace it with the Classic Editor wherever you want. For example, lots of WordPress users already enjoy robust page-building functionality via one of the many great plugins like Composer or Elementor. So many options, no need to feel “locked in” to using Gutenberg!

The Disable Gutenberg plugin is targeted at everyone who is not ready for the major changes brought by Gutenberg. Install Disable Gutenberg NOW to be ready for when Gutenberg is finally merged into core and released to the public (likely in WP 5.0). That way, your users and clients will experience the same awesome UX as before

GDPR

This plugin does not collect any user data. So it does not do anything to make your site less compliant with GDPR. I have done my best to ensure that this plugin is 100% GDPR compliant, but I’m not a lawyer so can’t guarantee anything. To determine if your site is GDPR compliant, please consult an attorney.

Great article: https://digwp.com/2018/04/how-to-disable-gutenberg/
Want to develop in Gutenberg?
https://docs.classicpress.net/installing-classicpress/#migrate-classicpress

Big thank you and shout out for WordFence for monitoring, managing, education and publishing key invaluable articles that help webmasters, website developers and website managers around the world protect their clients and their websites! 🙂

Next steps:

1. As always, before I do anything, ensure back-ups of website & database are in place so that a safety net is created.2. Audit each hosting plan to ensure upgrade easily implemented3. Audit each website to ensure theme, plugins and widgets are compatible4. Sanity Repeat – Just to check your ego at the door, double check that you didn’t miss anything. Feel free to call an expert like Jeremy Broekman or hire a programmer on Codeable.io to help out!READ MORE: broekmancomm.com/wordpress-maintenance-and-security/

Using PHP 5 Becomes Dangerous in 2 Months

WordPress, Joomla, Drupal and many other popular website CMSs were written in a programming language called PHP. PHP version 5 is about to reach end-of-life and will stop receiving security updates in two months. Many WordPress and other PHP websites remain on version 5.6 or older. Once support for PHP 5 ends in two months, these sites are in a precarious position and will become exploitable as new PHP 5 vulnerabilities emerge without security updates.

This post is in a FAQ format and describes why PHP 5 is reaching end-of-life, what the timeline is and what to do about it. The Wordfence team is working to create awareness of this issue in the WordPress and broader PHP community. You can help by sharing this post with your colleagues that manage PHP websites or use WordPress.

What is End-Of-Life or ‘EOL’ in Software?

When a software product reaches EOL, it is no longer supported by software developers. That means that, even if someone finds a security hole in the software, the developers will not fix it.

If a development team is productive, they will release many versions of the software they work on over time. It becomes impractical to support every version of the code ever released. So a compromise needs to be made.

This compromise is that the development team will only support their software for a certain amount of time. After that time has elapsed, the development team suggests that the user community upgrade to a newer version of the same software, which usually does things better than the old versions and is fully supported.

Is PHP Version 5 going to be EOL soon?

Yes. PHP version 5 will be declared End-Of-Life on January 1st, 2019. That is, in approximately two months at the time of writing.

The PHP development team’s policy with regards to end-of-life is as follows: each release of PHP is fully supported for two years from the date of release. Then it is supported for an additional year for critical security issues only. Once three years has elapsed from the date of release, the version of PHP is no longer supported.

PHP 7.0, the very first PHP 7 release, was released on 3 December, 2015, almost three years ago. PHP version 5 is rapidly approaching end-of-life and will no longer be supported starting on 1 January, 2019.

The final branch of PHP version 5 that is still supported is PHP 5.6. Because this is the final PHP 5 branch, the PHP team chose to extend the security fix period from the usual one years, to two years. That extended security support will end on 1 January 2019.

Why Should I Upgrade to PHP 7?

As mentioned above, PHP 5 will no longer be supported with security fixes, starting on 1 January 2019. That means that even if a vulnerability is discovered, it won’t be fixed, leaving your website vulnerable.

PHP 7 has many improvements over PHP version 5. These include performance improvements. PHP 5 has many known bugs that relate to performance, memory usage and more. PHP 7 is actively supported and developers are therefore able to implement those improvements and make your website run faster, be more stable and use your expensive resources more efficiently.

As an added benefit, PHP 7 also allows the use of more modern programming structures, which is a nice benefit for software developers.

How can I find out my PHP version?

If you are using WordPress and running the Wordfence security plugin, simply go to “Tools”, then click on the “Diagnostics” tab at the top right. Scroll down to the “PHP Environment” section and you will be able to see your PHP version on the right side of the page.

If you have FTP access to your website, you can create a file with a name that is hard to guess. Then add the following two lines:

<?php
phpinfo();

Save the file in your web root directory and then visit the file in your web browser. Your PHP version will be displayed at the top of the screen. Don’t forget to delete your temporary file once you’re done.

Which specific version of PHP 7 should I upgrade to?

Ideally, you should upgrade to PHP 7.2 which is the newest version of PHP. This version will be fully supported for another year and will receive security updates for a year after that.

If you are unable to upgrade to 7.2, then at a minimum you should upgrade to PHP 7.1. Full support for PHP 7.1 will end in 1 month. However, you will continue to receive security updates for another year after that.

Do not upgrade to PHP 7.0. This version will also become end-of-life in one month.

Does PHP 5 have any vulnerabilities?

Security vulnerabilities are continuously reported in PHP. Some of these are serious. Viewing this page on CVEDetails.com will give you an idea of the volume and severity of PHP vulnerabilities that have recently been reported.

Many of the vulnerabilities reported in PHP were discovered this year. Many more will be discovered in PHP version 5 next year, after security support for all versions of PHP 5 have ended. That is why it is critically important that you upgrade to a version of PHP 7 that is supported and is receiving security updates.

Will anything break if I update to PHP 7.2?

You may discover incompatibilities that need to be fixed by a developer if you update to PHP 7.2. PHP has undergone some changes since version 5 which has improved the language and made it more secure, but may result in warnings or errors for code that has not been made compatible with PHP 7.

However, it is very important that you make sure that your themes and plugins are also compatible with PHP 7.2. If you are using an unmaintained theme or plugin, you may encounter warnings or errors due to incompatibilities. For this reason, we recommend you test your website on a hosting account or server that is running PHP 7.2. If you encounter any problems, contact the developer of the theme or plugin and ask them for an urgent fix. Remind them that PHP 5.6 reaches end-of-life in just two months and that you must update to PHP 7.2 by then.

What if my hosting company does not support PHP 7?

Your hosting account should include some kind of control panel or options and settings page. If you’re not seeing an option to upgrade to PHP 7, you should contact your hosting company’s support team to see what your options are. If none are available, we recommend you transition to new hosting before the end of the year.

What if my developer does not support PHP 7?

PHP 7.0 was released two years and 10 months ago. If your developer’s plugin, theme, or other PHP product does not support PHP 7 at this point, it is quite likely that the project is unmaintained. If the project was being maintained, then they would have had users who are using PHP 7 report problems within the last 2 years and 10 months, which they would have fixed.

Using unmaintained software is a bad idea because it means that security vulnerabilities are not being fixed. So if you do encounter incompatibilities when upgrading to PHP 7.2, this may be a red flag and may indicate you should move on to using an alternative product that is being actively maintained.

What is the easiest way to upgrade to PHP 7.2?

Many hosting providers offer a one click PHP version change in CPanel. This allows you to switch to PHP 7 and check your site for problems. If something doesn’t work, you can switch back and create a plan for addressing the issues you found.

If you can’t find where to update your PHP version, your hosting provider can advise you how to update PHP in their environment. It may mean them making a change on their end or even moving your site to another server.

Remind me again why I need to update to PHP 7.2?

The really good news is that you are probably going to see a nice performance improvement when you update your site. Sure, you may need to deal with a few, hopefully minor incompatibilities. But once you have updated to PHP 7.2, you can rest assured that you will continue to receive security updates until November 30, 2020.

If you remain on PHP 5.6, you may find yourself dealing with a hacked site some time next year when a vulnerability is released for PHP 5.6 and no fix is released by the PHP team because PHP 5.6 is end-of-life.

How can I help?

This deadline is coming up fast. All versions of PHP 5 will stop receiving security updates in 2 months. There are a huge number of websites that are still on PHP 5. As soon as security updates end, attackers will be highly motivated to find vulnerabilities that they can exploit, because those vulnerabilities will not be fixed and will be exploitable for a long time.

To help transition the global web community to PHP 7, please spread the word by sharing this post and helping create awareness about this tight deadline and how to transition to PHP 7.